Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security audit of Oracle databases

Re: Security audit of Oracle databases

From: Hemant K Chitale <hkchital_at_singnet.com.sg>
Date: Mon, 11 Apr 2005 23:34:43 +0800
Message-Id: <6.2.0.14.0.20050411233011.01d49848@pop.singnet.com.sg> 






Rachel,



You need not have revealed this secret to all and sundry.  Who knows, there 
might


even be a few SOX auditors lurking on this list -- auditors who will know 
demand


that both the "root" and the "oracle" passwords be split amongst two people 
each --


requiring 4 SA/DBA persons !



There are auditors who say that the DBA should not login to the server as
"oracle" but should login as "hemant" and then "su" to oracle {after which he
can do as he d* well pleases}.  There are auditors who say that the "root"
account should not be used but that it is OK to have named accounts with
administrative privileges ,  not knowing what "uid 0" means.



Hemant



At 11:15 PM Monday, you wrote:



>I had a sysadmin at a site once tell me that since I was the only DBA,

>for security reasons, I HAD to give him the password to the oracle

>account... in an email. I replied "you don't need it". He said "oh

>wait, you're right, that's not secure -- leave it to me in a

>voicemail"

>

>I replied again "you don't need it". And later, when there wasn't a

>crowd around, gently explained to him that as root, he had access to

>ANY account on the system... and so did not need the password.





Hemant K Chitale


http://web.singnet.com.sg/~hkchital



--
http://www.freelists.org/webpage/oracle-l


Received on Mon Apr 11 2005 - 11:38:50 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US